OSPF P-bit Policy Paradox


Basic Configuration:

R1:

ipv uni

!

interface Ethernet0/0

 ipv6 address 14::1/64

 ipv6 ospf 1 area 2

 no sh

!

ipv6 router ospf 1

 router-id 0.0.0.1

R2:

ipv uni

!

interface Ethernet0/0

 ipv6 address 24::2/64

 ipv6 ospf 1 area 0

 no sh

!

ipv6 router ospf 1

 router-id 0.0.0.2

R3:

ipv uni

!

interface Ethernet0/0

 ipv6 address 34::3/64

 ipv6 ospf 1 area 0

 no sh

!

interface Ethernet0/1

 ipv6 address 200::1/64

 no sh

!

ipv6 route ::/0 200::2

!

ipv6 router ospf 1

 router-id 0.0.0.3

 default-information originate

R4:

ipv uni

!

interface Ethernet0/0

 ipv6 address 14::4/64

 ipv6 ospf 1 area 2

 no sh

!

interface Ethernet0/1

 ipv6 address 24::4/64

 ipv6 ospf 1 area 0

 no sh

!

interface Ethernet0/2

 ipv6 address 34::4/64

 ipv6 ospf 1 area 0

 no sh

!

interface Ethernet0/3

 ipv6 address 45::4/64

 ipv6 ospf 1 area 1

 no sh

!

ipv6 router ospf 1

 router-id 0.0.0.4

 area 1 nssa

R5:

ipv uni

!

interface Ethernet0/0

 ipv6 address 100::1/64

 no sh

!

interface Ethernet0/3

 ipv6 address 45::5/64

 ipv6 ospf 1 area 1

 no sh

!

ipv6 route ::/0 100::2

!

ipv6 router ospf 1

 router-id 0.0.0.5

 area 1 nssa default-information-originate

Configure R3 and R5 to redistribute a default route into OSPF.

On R4 verify that a Type-7 LSA for default route is received from R5.

R4#sh ipv ospf data nssa

            OSPFv3 Router with ID (0.0.0.4) (Process ID 1)

                Type-7 AS External Link States (Area 1)

  LS age: 1402

  LS Type: AS External Link

  Link State ID: 2

  Advertising Router: 0.0.0.5

  LS Seq Number: 8000000E

  Checksum: 0x5D60

  Length: 44

  Prefix Address: ::

  Prefix Length: 0, Options: P

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  Forward Address: 45::5

R4#

Verify that the ABR R4 is translating the Type-7 LSA into a Type-5 LSA and it is receiving a Type-5 LSA from R3 for default route.

R4#sh ipv ospf data ext

            OSPFv3 Router with ID (0.0.0.4) (Process ID 1)

                Type-5 AS External Link States

  LS age: 1635

  LS Type: AS External Link

  Link State ID: 0

  Advertising Router: 0.0.0.3

  LS Seq Number: 8000000D

  Checksum: 0xAA58

  Length: 32

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  External Route Tag: 1

  LS age: 921

  LS Type: AS External Link

  Link State ID: 7

  Advertising Router: 0.0.0.4

  LS Seq Number: 8000000B

  Checksum: 0x3175

  Length: 44

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  Forward Address: 45::5

R4#

R4 compares the cost to reach the Forward Address 45::5 listed in the Type-7 LSA’s R5 with the cost to reach the ASBR R3. Since both paths have the same cost 10 and because R2 is implementing the RFC 3101, the following priorities in deciding which LSA (Type 5 or Type 7) is preferred are defined in the RFC 3101.

If the current LSA is functionally the same as an

              installed LSA (i.e., same destination, cost and non-zero

              forwarding address) then apply the following priorities in

              deciding which LSA is preferred:

                 1. A Type-7 LSA with the P-bit set.

                 2. A Type-5 LSA.

                 3. The LSA with the higher router ID.

On R4 verify that the Type-7 LSA is preferred than the Type-5 LSA according to RFC 3101. R4 should have the ON2 installed through R5. Therefore all internet traffic received on R4 will use R5 path to send the packets.

R4#sh ipv route ospf | beg App

       lA – LISP away, a – Application

ON2 ::/0 [110/1], tag 1

     via 45::5, Ethernet0/3

R4#

On R1 verify that two Type-5 LSAs of R3 and R4 respectively are present.

The Type-5 LSA originated by R3 0.0.0.3 has the External Route Tag set to 1 while the Type-5 LSA originated by the NSSA ABR R4 does not have an External Route Tag, this means that currently the External Route Tag on the Type-5 LSA’s R4 has the value of Zero “0”.

R1#sh ipv os data ex

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

                Type-5 AS External Link States

  LS age: 1755

  LS Type: AS External Link

  Link State ID: 0

  Advertising Router: 0.0.0.3

  LS Seq Number: 8000000D

  Checksum: 0xAA58

  Length: 32

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  External Route Tag: 1

  LS age: 1042

  LS Type: AS External Link

  Link State ID: 7

  Advertising Router: 0.0.0.4

  LS Seq Number: 8000000B

  Checksum: 0x3175

  Length: 44

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  Forward Address: 45::5

R1#

R1 look-up the best path to reach the ASBRs R3 and the Forward Address 45::5.

There is an inter-area route to reach the ASBR R3 through R4-R3 directly  with a cost 20.

There is an inter-area route to reach the Forward Address 45::5 through R4-R5 directly  with a cost 20.

To confirm, Use the show ipv os bor command to find the cost to the ASBR R3.

R1#sh ipv os borde

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

Codes: i – Intra-area route, I – Inter-area route

I 0.0.0.3 [20] via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0, ASBR, Area 2, SPF 21

i 0.0.0.4 [10] via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0, ABR/ASBR, Area 2, SPF 21

R1#

But wait one moment, R1 has one exit point to reach out external networks, therefore only one OE2 route will be installed through R4.

R1#sh ipv route os | beg App

       lA – LISP away, a – Application

OE2 ::/0 [110/1]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  24::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  34::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  45::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

R1#

But which Type-5 LSA is used for SPF computation?

To decide which Type-5 will be used for SPF computation, let’s verify the OSPF RIB.

The external route ::/0 is shown as the best route with tag 0.

R1#sh ipv os rib

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

OSPF local RIB

Codes: * – Best, > – Installed in global RIB

*   14::/64, Intra, cost 10, area 2, Connected

      via Ethernet0/0

*>  24::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  34::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  45::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  ::/0, Ext2, cost 1, fwd cost 20, tag 0

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

R1#

What does Tag 0 mean? This is the External Route Tag of the Type-5 LSA originated by R4.

Let’s enable the debug ipv os spf exte command. and let’s reinitialize the OSPF process.

R1#debug ipv os spf external

OSPFv3 SPF external debugging is on for process 1, IPv6, Default vrf

R1#

R1#clear ipv os proce

Reset selected OSPFv3 processes? [no]: y

R1#

The debug output shown that R1 is receiving two LSAs 4005 (This is the renamed Type-5 LSA in OSPFv3) from R3 0.0.0.3 and R4 0.0.0.4, the line “Add reachable forward address 45::5, allowed types Intra and Inter, to watched queue” shown that the Type-5 LSA originated by R4 is used for SPF computation.

R1#

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 MON  : Begin SPF at 27018.540, process time 394ms

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: External SPF in area ASE

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER:   LSA 4005/0/0.0.0.3, age 1854, seq 0x8000000D, prefix ::/0 (area ASE) metric 1

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER:   LSA 4005/7/0.0.0.4, age 1140, seq 0x8000000B, prefix ::/0 (area ASE) metric 1

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: Add reachable forward address 45::5, allowed types Intra and Inter, to watched queue

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER:    forwarding address 45::5

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: External SPF in area 2

R1#

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

*Apr 11 05:31:04.886: OSPFv3-1-IPv6 MON  : End SPF at 27018.540, Total elapsed time 0ms

R1#

The Tag value displayed on the OSPF RIB of R1 indicates that the Type-5 LSA originated by R4 is the one used for SPF computation. The internet traffic from R1’s perspective is computed using the computed path of R4 and R5. Finally R1 is using the correct Type-5 LSA of R4 (the corresponding translated Type-7 of R5) to calculate how to reach internet.

Configure R4 to not advertise the Default Type-7 LSA, so that isn’t translated into a Type-5 LSA. The summary-prefix 0::/0 not-advertise command will prevent the default route 0::/0 to go out to area 2.

R4(config)#ipv router os 1

R4(config-rtr)#summary-prefix 0::/0 not-advertise

Let’s verify the Type-7 LSA originated by R5, the Type-7 LSA has the translator P-bit set. The External Route Tag is set to Zero since it’s not included.

R4#sh ipv os data nssa

            OSPFv3 Router with ID (0.0.0.4) (Process ID 1)

                Type-7 AS External Link States (Area 1)

  LS age: 1747

  LS Type: AS External Link

  Link State ID: 2

  Advertising Router: 0.0.0.5

  LS Seq Number: 8000000E

  Checksum: 0x5D60

  Length: 44

  Prefix Address: ::

  Prefix Length: 0, Options: P

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  Forward Address: 45::5

R4#

The show ipv os data ext command shown that only the Type-5 LSA originated by R3 is present, the NSSA ABR R4 is not translating the Type-7 LSA’s R5 because the “not-advertise” keyword.

R4#sh ipv os data ext

            OSPFv3 Router with ID (0.0.0.4) (Process ID 1)

                Type-5 AS External Link States

  LS age: 1974

  LS Type: AS External Link

  Link State ID: 0

  Advertising Router: 0.0.0.3

  LS Seq Number: 8000000D

  Checksum: 0xAA58

  Length: 32

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  External Route Tag: 1

R4#

R4 compares the cost to reach the Forward Address 45::5 listed in the Type-7 LSA’s R5 with the cost to reach the ASBR R3. Since both paths have the same cost 10 and because R2 is implementing the RFC 3101, the following priorities in deciding which LSA (Type 5 or Type 7) is preferred are defined in the RFC 3101.

If the current LSA is functionally the same as an

              installed LSA (i.e., same destination, cost and non-zero

              forwarding address) then apply the following priorities in

              deciding which LSA is preferred:

                 1. A Type-7 LSA with the P-bit set.

                 2. A Type-5 LSA.

                 3. The LSA with the higher router ID.

On R4 verify that the Type-7 LSA is preferred than the Type-5 LSA according to RFC 3101. R4 should have the ON2 installed through R5. Therefore all internet traffic received on R4 will use R5 path to send the packets.

R4#sh ipv route os | beg App

       lA – LISP away, a – Application

ON2 ::/0 [110/1], tag 1

     via 45::5, Ethernet0/3

R4#

Let’s execute the sh ipv os data ext command on R1.

R1 is now learning only one Type-5 LSA from R3 0.0.0.3. The Type-5 LSA originated by R3 0.0.0.3 has the External Route Tag set to 1.

R1#sh ipv os data ext

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

                Type-5 AS External Link States

  LS age: 95

  LS Type: AS External Link

  Link State ID: 0

  Advertising Router: 0.0.0.3

  LS Seq Number: 8000000E

  Checksum: 0xA859

  Length: 32

  Prefix Address: ::

  Prefix Length: 0, Options: None

  Metric Type: 2 (Larger than any link state path)

  Metric: 1

  External Route Tag: 1

R1#

The debug output shown that R1 is receiving one LSA 4005 from R3 0.0.0.3, the line “Add reachable forward address 45::5, the Type-5 LSA originated by R3 is used for SPF computation for internet traffic.

R1#

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 MON  : Begin SPF at 27216.648, process time 395ms

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: External SPF in area ASE

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER:   LSA 4005/0/0.0.0.3, age 63, seq 0x8000000E, prefix ::/0 (area ASE) metric 1

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: External SPF in area 2

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

R1#

*Apr 11 05:34:22.994: OSPFv3-1-IPv6 MON  : End SPF at 27216.648, Total elapsed time 0ms

R1#

R1 has one exit point to reach out external networks, therefore only one OE2 route will be installed through R4.

R1#sh ipv route os | beg App

       lA – LISP away, a – Application

OE2 ::/0 [110/1], tag 1

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  24::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  34::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

OI  45::/64 [110/20]

     via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

R1#

Let’s verify the OSPF RIB. The external route ::/0 is shown as the best route with tag 1. This Tag 1 confirms that the Type-5 LSA’R3 is used for SPF computation.

From R1’s perspective the Internet traffic will go through the computed path via R3.

R1#sh ipv os rib

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

OSPF local RIB

Codes: * – Best, > – Installed in global RIB

*   14::/64, Intra, cost 10, area 2, Connected

      via Ethernet0/0

*>  24::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  34::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  45::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  ::/0, Ext2, cost 1, fwd cost 20, tag 1

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

R1#

The NSSA ABR R4 is configured with a summary prefix using the “not-advertise” keyword, the Type-7 LSA is not propagated even if its P-bit is set.

Since the default route advertised by R5 is installed on R4? the R1’s Internet traffic is hijacked through R4 by R5 rather the computed path through the Type-5 LSA’s R3.

This paradox is illustrated per RFC 3101 in the following section.

Appendix E: The P-bit Policy Paradox.

Non-default Type-7 LSAs with the P-bit clear may be installed in the

   OSPF routing table of NSSA border routers.  (See Section 2.5.)  These

   LSAs are not propagated throughout the OSPF domain as translated

   Type-5 LSAs.  (See Section 3.2.)  Thus, traffic that is external to

   an NSSA and that passes through one of the NSSA’s border routers may

   be hijacked into the NSSA by a route installed from a Type-7 LSA with

   the P-bit clear.  This may be contrary to the expected path at the

   source of the traffic.  It may also violate the routing policy

   intended by the Type-7 LSA’s clear P-bit.  A Type-7 address range

   that is configured with DoNotAdvertise exhibits the same paradox for

   any installed Type-7 LSAs it subsumes, regardless of the P-bit

   setting.

   This paradox is best illustrated by the following example.  Consider

   an OSPF domain (AS 1842) with connections for default Internet

   routing and to external AS 4156.  NSSA 1 and OSPF Area 2 are

   partially defined in the following diagram:

                              AS 4156

                                |

            Area 2              |

                                |

              A2                A0   Area 0      C0—–Internet

              |                 |                |      Default

              |                 |                |

              |                 |                |

              +—————–B0—————+

                                /\

                               /  \

                              /    \

         Internet————A1    B1——AS 4156 (P-bit clear)

         Default (P-bit set)

                                 NSSA 1

   Here A0, B0, and C0 are Area 0 routers, A1 and B1 are NSSA 1 routers,

   and A2 is an Area 2 router.  B0 is a border router for both NSSA 1

   and Area 2.

   If the Type-7 external routes imported by B1 for AS 4156 are

   installed on B0 so that the NSSA 1 tree below A1 can take advantage

   of them, then A2’s traffic to AS 4156 is hijacked through B0 by B1,

   rather than its computed path through A0.

   An NSSA border router’s installed Type-7 default LSAs will exhibit

   this paradox when it possesses a Type-7 address range [0,0]

   configured with DoNotAdvertise, as these LSAs are not propagated even

   though their P-bit is set.  In the example above, if A1’s default is

   installed on B0, which has a configured Type-7 address range [0,0]

   with DoNotAdvertise set, then A2’s Internet traffic is hijacked

   through B0 by A1 rather than the computed path through C0.

An NSSA border router’s installed Type-7 default LSAs will exhibit

   this paradox when it possesses a Type-7 address range [0,0]

   configured with DoNotAdvertise, as these LSAs are not propagated even

   though their P-bit is set.  In the example above, if A1’s default is

   installed on B0, which has a configured Type-7 address range [0,0]

   with DoNotAdvertise set, then A2’s Internet traffic is hijacked

   through B0 by A1 rather than the computed path through C0.

By default Cisco Routers implements the RFC 3101 for NSSA behavior as shown below.

R4#sh ipv os | s RFC

 Supports NSSA (compatible with RFC 3101)

 Supports Database Exchange Summary List Optimization (RFC 5243)

 RFC1583 compatibility enabled

    Area BACKBONE(0)

R4#

Configure R2 to conform with RFC 1587 using the compatible rfc1587 command.

RFC 1587 says: When a type-5 LSA and a type-7 LSA are found to have the

         same type and an equal distance, the following priorities

         apply (listed from highest to lowest) for breaking the tie.

                 a. Any type 5 LSA.

                 b. A type-7 LSA with the P-bit set and the forwarding

                    address non-zero.

                 c. Any other type-7 LSA.

R4(config)#ipv router os 1

R4(config-rtr)#compatible rfc1587

Verify that RFC 1587 is enabled.

R4#sh ipv os | s RFC

 Supports NSSA (compatible with RFC 1587)

 Supports Database Exchange Summary List Optimization (RFC 5243)

 RFC1583 compatibility enabled

    Area BACKBONE(0)

R4#

If we enable RFC 1587 with the compatible rfc1587 command, R4 will prefer the Type-5 LSA advertised by R3 instead of the Type-7 LSA originated by R5. The routing table’s R4 shown that the OE2 route through R3 is installed and is preferred than the ON2 route originated by R5.

R4#sh ipv route os | beg App

       lA – LISP away, a – Application

OE2 ::/0 [110/1], tag 1

     via FE80::A8BB:CCFF:FE00:3000, Ethernet0/2

R4#

Let’s verify the OSPF RIB of R1. The external route for the default route ::/0 has the External Route Tag 1, this is the Tag value assigned by R3 in its Type-5 LSA, this means that all internet traffic will go through the computed path through R3.

R1#sh ipv os rib

            OSPFv3 Router with ID (0.0.0.1) (Process ID 1)

OSPF local RIB

Codes: * – Best, > – Installed in global RIB

*   14::/64, Intra, cost 10, area 2, Connected

      via Ethernet0/0

*>  24::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  34::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  45::/64, Inter, cost 20, area 2

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

*>  ::/0, Ext2, cost 1, fwd cost 20, tag 1

      via FE80::A8BB:CCFF:FE00:4000, Ethernet0/0

R1#

Since the default route advertised by R3 is installed on R4, the R1’s Internet traffic is not hijacked and uses the correct the computed path through the Type-5 LSA’s R3.

R1#

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 MON  : Begin SPF at 27537.452, process time 398ms

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: External SPF in area ASE

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER:   LSA 4005/0/0.0.0.3, age 384, seq 0x8000000E, prefix ::/0 (area ASE) metric 1

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: External SPF in area 2

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: AS external route sync for area ASE

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

*Apr 11 05:39:43.798: OSPFv3-1-IPv6 EXTER: AS external route sync for area 2

R1#

Categories: OSPF Routing Protocol

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: